The government is increasingly using corporations to
do its surveillance work, allowing it to get around restrictions that protect
the privacy and civil liberties of Americans, according to a report released
Monday by the American Civil Liberties Union, an organization that works
to protect civil liberties.

Data aggregators -- companies that aggregate information
from numerous private and public databases -- and private companies that
collect information about their customers are increasingly giving or selling
data to the government to augment its surveillance capabilities and help
it track the activities of people.

Because laws that restrict government data collection
don't apply to private industry, the government is able to bypass restrictions
on domestic surveillance. Congress needs to close such loopholes, the ACLU
said, before the exchange of information gets out of hand.

"Americans would really be shocked to discover the
extent of the practices that are now common in both industry and government,"
said the ACLU's Jay Stanley, author of the report. "Industry and government
know that, so they have a strong incentive to not publicize a lot of what's
going on."

Last year, JetBlue Airways acknowledged that it secretly
gave defense contractor Torch Concepts 5 million passenger itineraries
for a government project on passenger profiling without the consent of
the passengers. The contractor augmented the data with passengers' Social
Security numbers, income information and other personal data to test the
feasibility of a screening system called CAPPS II. That project was slated
to launch later this year until the government scrapped it. Other airlines
also contributed data to the project.

Information about the data-sharing project came to light
only by accident. Critics like Stanley say there are many other government
projects like this that are proceeding in secret.

The ACLU released the Surveillance-Industrial Complex
report in conjunction with a new website designed to educate the public
about how information collected from them is being used.

The report listed three ways in which government agencies
obtain data from the private sector: by purchasing the data, by obtaining
a court order or simply by asking for it. Corporations freely share information
with government agencies because they don't want to appear to be unpatriotic,
they hope to obtain future lucrative Homeland Security contracts with the
government or they fear increased government scrutiny of their business
practices if they don't share.

But corporations aren't the only ones giving private
data to the government. In 2002, the Professional Association of Diving
Instructors voluntarily gave the FBI the names and addresses of some 2
million people who had studied scuba diving in previous years. And a 2002
survey found that nearly 200 colleges and universities gave the FBI information
about students. Most of these institutions provided the information voluntarily
without having received a subpoena.

Collaborative surveillance between government and the
private sector is not new. For three decades during the Cold War, for example,
telegraph companies like Western Union, RCA Global and International Telephone
and Telegraph gave the National Security Agency, or NSA, all cables that
went to or from the United States. Operation Shamrock, which ran from 1945
to 1975, helped the NSA compile 75,000 files on individuals and organizations,
many of them involved in peace movements and civil disobedience.

These days, the increasing amount of electronic data
that is collected and stored, along with developments in software technology,
make it easy for the government to sort through mounds of data quickly
to profile individuals through their connections and activities.

Although the Privacy Act of 1974 prohibits the government
from keeping dossiers on Americans unless they are the specific target
of an investigation, the government circumvents the legislation by piggybacking
on private-sector data collection.

Corporations are not subject to congressional oversight
or Freedom of Information Act requests -- two methods for monitoring government
activities and exposing abuses. And no laws prevent companies from voluntarily
sharing most data with the government.

"The government is increasingly ... turning to private
companies, which are not subject to the law, and buying or compelling the
transfer of private data that it could not collect itself," the report
states.

A government proposal for a national ID card, for example,
was shot down by civil liberties groups and Congress for being too intrusive
and prone to abuse. And Congress voted to cancel funding for John Poindexter's
Total Information Awareness, a national database that would have tracked
citizens' private transactions such as Web surfing, bank deposits and withdrawals,
doctor visits, travel itineraries and visa and passport applications.

But this hasn't stopped the government from achieving
the same ends by buying similar data from private aggregators like Acxiom,
ChoicePoint, Abacus and LexisNexis. According to the ACLU, ChoicePoint's
million-dollar contracts with the Justice Department, Drug Enforcement
Administration and other federal agencies let authorities tap into its
billions of records to track the interests, lifestyles and activities of
Americans.

By using corporations, the report said, the government
can set up a system of "distributed surveillance" to create a
bigger picture than it could create with its own limited resources and
at the same time "insulate surveillance and information-handling practices
from privacy laws or public scrutiny."

Most of the transactions people make are with the private
sector, not the government. So the amount of data available through the
private sector is much greater.

Every time people withdraw money from an ATM, buy books
or CDs, fill prescriptions or rent cars, someone else, somewhere, is collecting
information about them and their transactions. On its own, each bit of
information says little about the person being tracked. But combined with
health and insurance records, bank loans, divorce records, election contributions
and political activities, corporations can create a detailed dossier.

And studies show that Americans trust corporations more
than they trust their government, so they're more likely to give companies
their information freely. A 2002 phone survey about a proposed national
ID plan, conducted by Gartner, found respondents preferred private industry
-- such as bank or credit card companies -- to administer a national ID
system rather than the government.

Stanley said most people are unaware how information
about them is passed on to government agencies and processed.

"People have a right to know just how information
about them is being used and combined into a high-resolution picture of
(their) life," Stanley said.

Although the Privacy Act attempted to put stops on government
surveillance, Stanley said that its authors did not anticipate the explosion
in private-sector data collection.

"It didn't anticipate the growth of data aggregators
and the tremendous amount of information that they're able to put together
on virtually everyone or the fact that the government could become customers
of these companies," Stanley said.

Although the report focused primarily on the flow of
data from corporations to the government, data flow actually goes both
ways. The government has shared its watch lists with the private sector,
opening the way for potential discrimination against customers who appear
on the lists. Under section 314 of the Patriot Act, the government can
submit a suspect list to financial institutions to see whether the institution
has conducted transactions with any individuals or organizations on the
list. But once the government shares the list, nothing prevents the institution
from discriminating against individuals or organizations on the list.

After the terror attacks of Sept. 11, 2001, the FBI circulated
a watch list to corporations that contained hundreds of names of people
the FBI was interested in talking to, although the people were not under
investigation or wanted by the FBI. Companies were more than happy to check
the list against the names of their customers. And if they used the list
for other purposes, it's difficult to know. The report notes that there
is no way to determine how many job applicants might have been denied work
because their names appeared on the list.

"It turns companies into sheriff's deputies, responsible
not just for feeding information to the government, but for actually enforcing
the government's wishes, for example by effectively blacklisting anyone
who has been labeled as a suspect under the government's less-than-rigorous
procedures for identifying risks," the report states.

Last March, the Technology and Privacy Advisory Committee,
created by Secretary of Defense Donald Rumsfeld to examine government data
mining, issued a report (PDF) stating that "rapid action is necessary"
to establish clear guidelines for responsible government data mining.

The ACLU's Stanley said companies are in the initial
stages of the Homeland Security gold rush to get government contracts,
and that the public and Congress need to do something before policies and
practices of private-sector surveillance solidify.

"Government security agencies always have a hunger
for more and more information," said Stanley. "It's only natural.
It makes it easier for law enforcement if they have access to as much info
as they want. But it's crucial that policy makers and political leaders
balance the needs of law enforcement and the value of privacy that Americans
have always expected and enjoyed."